Data Processing Agreement
Last updated: March 12, 2026
1. Introduction
This Data Processing Agreement ("DPA") forms part of the Terms of Service between you ("Data Controller" or "Customer") and Cognova ("Data Processor") for the processing of personal data in connection with the Service.
This DPA applies where and only to the extent that Cognova processes personal data on behalf of the Customer in the course of providing the Service, and such personal data is subject to data protection laws including the EU General Data Protection Regulation (GDPR), the UK GDPR, or the California Consumer Privacy Act (CCPA).
2. Definitions
- Personal Data: Any information relating to an identified or identifiable natural person
- Processing: Any operation performed on personal data (collection, storage, use, disclosure, deletion)
- Sub-processor: A third party engaged by Cognova to process personal data on behalf of the Customer
- Data Subject: The individual whose personal data is being processed
3. Scope of Processing
Subject Matter
Processing of personal data as necessary to provide the Cognova AI agent workspace service.
Duration
For the term of the Customer's subscription, plus any retention period specified in our Privacy Policy.
Nature and Purpose
- Storing and managing conversation data between users and AI agents
- Processing knowledge files uploaded by the Customer
- Managing workspace membership and access controls
- Processing AI interactions through sub-processors (Anthropic)
- Sending transactional communications
Types of Personal Data
- Account identifiers (name, email)
- Conversation content (may contain personal data at the Customer's discretion)
- Knowledge file content (may contain personal data at the Customer's discretion)
- Usage and billing data
Categories of Data Subjects
- Customer's employees and team members
- Individuals whose data may be included in conversations or knowledge files
4. Obligations of the Data Processor
Cognova shall:
- Process personal data only on documented instructions from the Customer
- Ensure that persons authorized to process personal data are subject to confidentiality obligations
- Implement appropriate technical and organizational security measures
- Assist the Customer in responding to data subject requests
- Assist the Customer in ensuring compliance with security, breach notification, and data protection impact assessment obligations
- Delete or return all personal data upon termination of the Service, at the Customer's choice
- Make available information necessary to demonstrate compliance with this DPA
5. Sub-processors
Current Sub-processors
| Sub-processor | Purpose | Location | Data Processed |
|---|---|---|---|
| Anthropic | AI model inference | United States | Conversation messages, system prompts, knowledge context |
| Railway | Cloud hosting | United States | All Service data (encrypted) |
| Resend | Transactional email | United States | Email addresses, email content |
| Stripe | Payment processing | United States | Billing and payment information |
Sub-processor Changes
We will notify the Customer of any intended changes to sub-processors at least 30 days before the change takes effect. The Customer may object to the change by notifying us within 14 days. If the objection cannot be resolved, the Customer may terminate the affected Service.
6. Security Measures
Cognova implements the following security measures:
- Encryption in transit using TLS 1.2+
- Encryption at rest for all database storage
- AES-256-GCM encryption for stored secrets and credentials
- Workspace-level access isolation
- Session-based authentication with secure cookies
- Regular security updates and dependency monitoring
- Access controls limiting employee access to personal data
7. Data Breach Notification
In the event of a personal data breach, Cognova shall:
- Notify the Customer without undue delay, and in any event within 72 hours of becoming aware of the breach
- Provide details of the nature of the breach, categories of data affected, approximate number of data subjects affected, and measures taken to address the breach
- Cooperate with the Customer in investigating and mitigating the breach
8. Data Subject Requests
If Cognova receives a request from a data subject to exercise their rights (access, rectification, erasure, restriction, portability, objection), Cognova shall:
- Promptly notify the Customer
- Assist the Customer in fulfilling the request
- Not respond directly to the data subject unless authorized by the Customer
9. International Data Transfers
Personal data may be transferred to and processed in the United States. For transfers from the European Economic Area (EEA) or United Kingdom, such transfers are made under Standard Contractual Clauses (SCCs) as adopted by the European Commission, or other approved transfer mechanisms.
10. Audits
The Customer may audit Cognova's compliance with this DPA by:
- Requesting and reviewing relevant compliance documentation
- Requesting responses to reasonable audit questionnaires
- With reasonable notice and during business hours, conducting an on-site or remote audit (no more than once per year)
11. Term and Termination
This DPA is effective for the duration of the Customer's use of the Service. Upon termination:
- Cognova will delete all personal data within 30 days, unless retention is required by law
- The Customer may request an export of their data before deletion
12. Contact
For DPA-related inquiries, contact us at [email protected].